Title
n
Nimit
11/10/2022, 5:47 PMhi @Charith (Cerbos) noticed a difference between "IsAllowed" and "QueryPlan" .. i have the following 2 policies (base and a scoped)
All actions blocked in the base BUT VIEW action allowed in scoped
Both resource and principal have the correct scope set.
When i try to check for VIEW access using "IsAllowed" i get an ALLOWED .. but using Plan is says BLOCKED
As the specs say if the answer can be resolved from the scoped policy, why is the base being queried for plan ?
base.yml
apiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>resourcePolicy:resource: interactionsversion: defaultrules:- actions:- "*"roles:- powerusereffect: EFFECT_DENYapiVersion: <http://api.cerbos.dev/v1|api.cerbos.dev/v1>resourcePolicy:resource: interactionsversion: defaultrules:- actions:- VIEWroles:- powerusereffect: EFFECT_ALLOWscope: T00101581-3dd4-40b8-a2e3-175624586f85{"requestId": "123123","principal": {"id": "123","roles": ["poweruser"],"attr": {},"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"},"resources": [{"resource": {"kind": "interactions","id": "123","scope": "T00101581-3dd4-40b8-a2e3-175624586f85","attr": {}},"actions": ["VIEW"]}]}a
Alex Olivier (Cerbos)
11/10/2022, 6:01 PMHey the query plan in the playground doesnโt support scopes right now. Do you get the same result when you run the PDP locally?
c
Charith (Cerbos)
11/10/2022, 6:04 PMYep, I think it's the Playground. It works locally
cat <<EOF | curl --silent "<http://localhost:3592/api/plan/resources?pretty>" -d @-
{
"requestId": "query-plan",
"resource": {
"kind": "interactions",
"scope": "T00101581-3dd4-40b8-a2e3-175624586f85"
},
"principal": {
"id": "123",
"roles": [
"poweruser"
]
},
"action": "CREATE",
"includeMeta": true
}
EOF{
"requestId": "query-plan",
"action": "CREATE",
"resourceKind": "interactions",
"filter": {
"kind": "KIND_ALWAYS_ALLOWED"
},
"meta": {
"filterDebug": "(true)",
"matchedScope": "T00101581-3dd4-40b8-a2e3-175624586f85"
}a
Alex Olivier (Cerbos)
11/10/2022, 6:05 PMThere is a pending item to add scope - will bump it up the list
n
Nimit
11/10/2022, 7:16 PMhey guys, in that case i am confused ๐
While curl/postman gives ALWAYS_ALLOWED, running the same code in golang and invoking the api "PlanResources" gives a different result, try the following code :
c, err := client.New("localhost:3593", client.WithPlaintext())if err != nil {log.Fatalf("Error creating Cerbos client: %v", err)}roles := []string{"poweruser"}resp, err := c.PlanResources(context.Background(),client.NewPrincipal("123").WithRoles(roles...).WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),client.NewResource("interactions", "id").WithScope("T00101581-3dd4-40b8-a2e3-175624586f85"),"VIEW")fmt.Println(resp.Filter.Kind)c
Charith (Cerbos)
11/10/2022, 7:37 PMOh it looks like a bug in the Go client. The scope is not being set on the resource ๐. We'll get it fixed ASAP.
n
Nimit
11/10/2022, 7:47 PMThanks a lot charith, thought I was loosing my mind ๐
c
Charith (Cerbos)
11/11/2022, 8:43 AMThe fix has landed, thanks to @Dennis (Cerbos). It'll take a few days for us to do a release, but, you can use it right away if you don't mind using the
maingo get <http://github.com/cerbos/cerbos/client@main|github.com/cerbos/cerbos/client@main>n
Nimit
11/11/2022, 8:44 AMthanks charith/dennis, appreciate the quick turnaround.. will wait for the release :)
hi @Charith (Cerbos) any plans for a release, imminently ? pls keep me in the loop, thanks
c
Charith (Cerbos)
11/14/2022, 1:43 PMHey, we are waiting for another fix that we want to include in the release and it's taking a little longer than expected. Hopefully it will be done this week.
If you're in a hurry, it's quite safe to use the SDK from
mainn
Nimit
11/15/2022, 1:28 PMhi @Charith (Cerbos) tried pulling in the latest cerbos (from main) and building.. and see this error:
# github.com/cerbos/cerbos/internal/observability/logging
119
Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go:101:105: undefined: atomic.Bool
120
Error: ../../../go/pkg/mod/github.com/cerbos/cerbos@v0.22.1-0.20221111075933-f61a749212c4/internal/observability/logging/logging.go:120:24: undefined: atomic.Bool
121
note: module requires Go 1.19
122
Error: Process completed with exit code 2.
c
Charith (Cerbos)
11/15/2022, 1:33 PMWhich version of Go are you on?
n
Nimit
11/15/2022, 1:54 PM1.18
c
Charith (Cerbos)
11/15/2022, 2:00 PMI see. I am guessing you can't use the
v0.22.0n
Nimit
11/15/2022, 2:01 PMmm we are on 21 .. and i tried moving to main and had that issue.. havent tried 22 TBH
c
Charith (Cerbos)
11/15/2022, 2:04 PMYeah, It looks like we accidentally used a Go 1.19 feature in one of the features we introduced in 0.22. I'll see if it can be reverted back.
n
Nimit
11/15/2022, 2:04 PMthanks ๐
c
Charith (Cerbos)
11/22/2022, 10:56 AMHey, if you didn't see the announcement already, we released a new version yesterday that includes the scope fix to the SDK.